Hack The Box: Optimum


Enumeration

box optimum

The nmap scan reveals one open port: 80.

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

The hosted page hosts a rejetto fileserver, version 2.3:

box optimum

After a quick google search, we can find several RCE exploit scripts as well as a metasploit module.


Initial Foothold

Running the metasploit module, we’re in:

meterpreter > getuid
Server username: OPTIMUM\kostas

Privilege Escalation

After that I ran the local exploit suggester module from metasploit. It found two potential modules, exploit/windows/local/bypassuac_eventvwr and exploit/windows/local/ms16_032_secondary_logon_handle_privesc. The second one is a privilege escalation, so I tested it and got NT Authority\System.